In response to an article published on another site asking whether MSPs are struggling to keep up with IT security, MSPs need to be aware of such online conversations and be prepared to enter the discussion. As for my views, I will happily offer them here.
MSP Practices
Our profession has well-established best practices and standards of conduct that extend throughout the world. Taking the MSPAlliance as just one example, our community has created a customer bill of rights, an MSP code of ethics, and a standard called the MSP Verify. We took these measures to provide guidance to the MSP community and help the consumers of managed services make better-informed decisions about outsourcing their IT.
For over 20 years, MSPs have been stewards of IT management on behalf of their clients. Starting with the enterprise community, those early-stage MSPs implemented policy at the direction of the clients they served. Yes, the MSPs needed to have strong internal controls and processes in place, but they were mainly directed by their clients. Even as early as the mid-1990s, managed services clients had well-established IT processes and controls in place and understood how to outsource IT management to MSPs.
As the years passed and smaller organizations began to understand the benefits of using MSPs, something interesting happened. The managed services customers practiced outsourcing IT without the experience of having a robust internal IT control framework.
As the mid-market and SMB communities embraced IT outsourcing, MSPs began to see disparities between their IT controls and those belonging to their clients. Only one thing stands in the way of MSPs implementing IT security controls: the customer.
Now, to avoid the inevitable outraged emails from end-user organizations, I acknowledge there are exceptions to the rule. I recognize there are practicing MSPs (or companies calling themselves MSPs) who have had lapses in security, made mistakes, or just have poorly constructed policies and procedures that require updating.
I also know that thousands of MSPs I have spoken with complain about the state of IT security within their clients precisely because the clients have rejected these improvements. Suppose a customer refuses to allow an MSP to implement a best practice such as multi-factor authentication, regular data backups, and change management controls through their MSP. In that case, the client should at least be performing these same controls internally and on their own. This rarely happens, especially at the smaller end of the market. After all, that's why the client is outsourcing their IT management in the first place.

